CSRF与Spring Security集成时,会话超时导致Spring MVC中的访问被拒绝 [英] Session timeout leads to Access Denied in Spring MVC when CSRF integration with Spring Security
问题描述
我在Spring MVC项目中已将CSRF令牌与Spring Security集成在一起.一切都可以与CSRF令牌一起正常使用,令牌将从客户端发送到服务器端.
I have Integrated CSRF token with Spring Security in my Spring MVC Project. Everything work properly with CSRF token, token will be send from client side to server side.
我已经更改了logout
流程,使其成为发送CSRF令牌的POST
方法,并且效果很好.
I have changed my logout
process to make it POST
method to send CSRF token and its works fine.
发生会话超时时,我遇到了问题,需要将其重定向到spring默认注销URL,但是在该URL上却为我提供Access Denied
.
I have face problem when session timeout is occurred, it needs to be redirected to spring default logout URL but it gives me Access Denied
on that URL.
如何覆盖此行为.
我在安全性配置文件中包含以下行
I have include below line in Security config file
<http>
//Other config parameters
<csrf/>
</http>
请让我知道是否有人需要更多信息.
Please let me know if anyone needs more information.
推荐答案
这个问题有点老了,但是答案总是有用的.
The question is a bit old, but answers are always useful.
首先,这是会话支持的CSRF令牌的已知问题,如docs中所述:
First, this is a known issue with session-backed CSRF tokens, as described in the docs: CSRF Caveats - Timeouts.
要解决此问题,请使用一些Javascript检测即将到来的超时,使用与会话无关的CSRF令牌存储库或创建自定义的AccessDeniedHandler
路由.我选择了后者:
To solve it, use some Javascript to detect imminent timeouts, use a session-independent CSRF token repository or create a custom AccessDeniedHandler
route. I chose the latter:
配置XML:
<http>
<!-- ... -->
<access-denied-handler ref="myAccessDeniedHandler"/>
</http>
<bean id="myAccessDeniedHandler" class="package.MyAccessDeniedHandler">
<!-- <constructor-arg ref="myInvalidSessionStrategy" /> -->
</bean>
MyAccessDeniedHandler:
MyAccessDeniedHandler:
public class MyAccessDeniedHandler implements AccessDeniedHandler {
/* ... */
@Override
public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException exception)
throws IOException, ServletException {
if (exception instanceof MissingCsrfTokenException) {
/* Handle as a session timeout (redirect, etc).
Even better if you inject the InvalidSessionStrategy
used by your SessionManagementFilter, like this:
invalidSessionStrategy.onInvalidSessionDetected(request, response);
*/
} else {
/* Redirect to a error page, send HTTP 403, etc. */
}
}
}
或者,您可以将自定义处理程序定义为DelegatingAccessDeniedHandler
:
Alternatively, you can define the custom handler as a DelegatingAccessDeniedHandler
:
<bean id="myAccessDeniedHandler" class="org.springframework.security.web.access.DelegatingAccessDeniedHandler">
<constructor-arg name="handlers">
<map>
<entry key="org.springframework.security.web.csrf.MissingCsrfTokenException">
<bean class="org.springframework.security.web.session.InvalidSessionAccessDeniedHandler">
<constructor-arg name="invalidSessionStrategy" ref="myInvalidSessionStrategy" />
</bean>
</entry>
</map>
</constructor-arg>
<constructor-arg name="defaultHandler">
<bean class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
<property name="errorPage" value="/my_error_page"/>
</bean>
</constructor-arg>
</bean>
这篇关于CSRF与Spring Security集成时,会话超时导致Spring MVC中的访问被拒绝的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!